Today we’re excited to announce the date for Upstream 2023, which will take place this year on June 7. Upstream is an entirely virtual one-day celebration of open source, the developers who use it, and the maintainers who make it.
Want to reserve your spot? The first 500 registrants are eligible for a free shirt (U.S.-based only, sorry). Register now.
We’ve also opened the call for presentations (deadline is April 7!), and are actively looking for speakers to help us explore this year’s theme: the accidental supply chain.
Picture this: you keep running into bugs in the JavaScript application you're building for work. All the debuggers you find online are old, unmaintained, and not very good, so you fork one, fix it, and then put it back online and share it under an open source license, so others can use this new debugger for their own projects. Suddenly, lots of others are using it, and you're stuck with a choice:
Do you:
And that, folks, is just one way to become part of an accidental supply chain, the theme of Upstream 2023.
In the wake of an increasing number of cybersecurity threats, government and industry alike are developing new standards, requirements, and guidelines that they expect open source software to meet.
The good news: this increased attention on open source software security will hopefully produce more resilient software. The bad news: Who exactly do we expect to do that work? The unpaid volunteer maintainer who finds themselves a part of an accidental supply chain?
This dilemma is something Tidelift co-founder and Upstream co-chair Luis Villa has likened to unfunded mandates. In U.S. politics, an “unfunded mandate” occurs when a government requires someone else (usually, a lower-level government organization) to do new work, while not allocating funding for this work.
In the debugger example, this is like asking the unpaid maintainer to maintain this debugger to a new heightened industry security and maintenance standard so you can continue using it in your organization’s applications—but not paying them to do it.
We think the concept of an accidental supply chain is ripe for conversation this year, especially in light of increasing demands on open source maintainers. Obviously at Tidelift we think part of the solution is paying maintainers to do this important work, but there are plenty of other ways we can make the accidental open source software supply chain, well, a little less accidental.
We’ve opened our call for presentations, and want to hear from you! We’re accepting presentations until April 7, 2023, but don’t wait too long. Last year slots filled up very quickly. Submit your talk here!
And don’t forget to RSVP for the event. The first 500 registrants are eligible for a free shirt (U.S.-based only, sorry). Register now.